The caddy sidecar uses on-demand TLS and asks http://app:3000/tls-check before issuing a cert.
On a shared host every co-located stack aliases its main service 'app' on the 'proxy' overlay;
caddy (on both proxy+internal) resolves bare 'app' to a FOREIGN stack's endpoint, so the tls-check
connection is refused, no cert is issued, and the PDS is unreachable over HTTPS (xrpc/_health=000).
Give the PDS a unique 'pds' alias on the internal network and point caddy's reverse_proxy +
on_demand_tls ask at it; 'pds' exists only on internal, so it always resolves to this stack's PDS.
Service name stays 'app' (no downstream breakage).
Pin an exact released image tag. The previous pin :0.4 is a moving tag
that upstream now republishes with main-branch builds (currently
@atproto/pds 0.5.1 on Node 24, where the service entrypoint moved from
/app/index.js to /app/index.ts), so the recipe's entrypoint.sh
(exec node --enable-source-maps index.js) crash-loops MODULE_NOT_FOUND.
ghcr.io/bluesky-social/pds:0.4.219 is the newest released exact tag and
keeps the layout this recipe's entrypoint expects (Node 20.20,
/app/index.js, dumb-init).
